Skip to content
/ windows-security Public

A collection of PowerShell scripts to audit Windows systems by configuring and enforcing security controls adhering to Microsoft Baseline.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

offsechq/windows-security

BranchesTags

Repository files navigation

Windows Security Hardening Scripts

PowerShell scripts to enable or disable key Windows Defender and platform hardening controls using registry-backed configuration.

Scope

This repository provides paired enable-* and disable-* scripts for:

  • Attack Surface Reduction (ASR)
  • Cloud Protection
  • Exploit Protection
  • LSA Protection
  • Network Protection
  • Real-Time Protection
  • SmartScreen
  • Tamper Protection
  • Virtualization-Based Security (VBS)
  • Windows Firewall

Requirements

  • Windows with PowerShell
  • Run as Administrator
  • Reboot may be required for some controls
  • Validate in non-production first

Quick Start

Enable all controls (Tamper Protection last)

$b = "https://raw.githubusercontent.com/OFFSECHQ/windows-security/main"
$enableOrder = @(
  "attack-surface-reduction/enable-asr.ps1"
  "cloud-protection/enable-cloud-protection.ps1"
  "exploit-protection/enable-exploit-protection.ps1"
  "lsa-protection/enable-lsa-protection.ps1"
  "network-protection/enable-network-protection.ps1"
  "realtime-protection/enable-realtime-protection.ps1"
  "smartscreen/enable-smartscreen.ps1"
  "virtualization-based-security/enable-vbs.ps1"
  "windows-firewall/enable-firewall.ps1"
  "tamper-protection/enable-tamper-protection.ps1"
)
$enableOrder | ForEach-Object { irm "$b/$_" | iex }

Disable all controls (Tamper Protection first)

$b = "https://raw.githubusercontent.com/OFFSECHQ/windows-security/main"
$disableOrder = @(
  "tamper-protection/disable-tamper-protection.ps1"
  "attack-surface-reduction/disable-asr.ps1"
  "cloud-protection/disable-cloud-protection.ps1"
  "exploit-protection/disable-exploit-protection.ps1"
  "lsa-protection/disable-lsa-protection.ps1"
  "network-protection/disable-network-protection.ps1"
  "realtime-protection/disable-realtime-protection.ps1"
  "smartscreen/disable-smartscreen.ps1"
  "virtualization-based-security/disable-vbs.ps1"
  "windows-firewall/disable-firewall.ps1"
)
$disableOrder | ForEach-Object { irm "$b/$_" | iex }

Module Index

Module Enable Script Disable Script
attack-surface-reduction enable-asr.ps1 disable-asr.ps1
cloud-protection enable-cloud-protection.ps1 disable-cloud-protection.ps1
exploit-protection enable-exploit-protection.ps1 disable-exploit-protection.ps1
lsa-protection enable-lsa-protection.ps1 disable-lsa-protection.ps1
network-protection enable-network-protection.ps1 disable-network-protection.ps1
realtime-protection enable-realtime-protection.ps1 disable-realtime-protection.ps1
smartscreen enable-smartscreen.ps1 disable-smartscreen.ps1
tamper-protection enable-tamper-protection.ps1 disable-tamper-protection.ps1
virtualization-based-security enable-vbs.ps1 disable-vbs.ps1
windows-firewall enable-firewall.ps1 disable-firewall.ps1

Base raw URL: https://raw.githubusercontent.com/OFFSECHQ/windows-security/main/

Operational Notes

  • Apply changes through change control in managed environments.
  • Confirm policy conflicts (GPO, Intune, MDE baselines) before enforcement.
  • Capture current state before bulk rollout.
  • Use OPERATIONS.md for backup, restore, and post-change verification commands.

Disclaimer

These scripts change critical security settings. You are responsible for testing, validation, and production impact.

About

A collection of PowerShell scripts to audit Windows systems by configuring and enforcing security controls adhering to Microsoft Baseline.

Topics

powershell windows-security

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages